ISA Server 2004 Best Practices Analyzer Tool (IsaBPA)

The ISA Server Best Practices Analyzer is a tool that collects configuration data from the local ISA Server computer, such as ISA configuration settings, hardware configuration, OS configuration and more. It examines the above information. Then it notifies the user if there are any configuration issues, and provides information regarding how to fix them.

What Does IsaBPA Cover?

The current release of IsaBPA performs more than 100 checks. Some of the issues that can be detected are:

Certificate management issues, such as an invalid or a missing certificate on the published web server or on the ISA Server computer itself.

Single network adapter scenario issues, such as the use of the External network in the policy.

Deployment issues, such as missing basic access rules.

Networking issues, such as inability to connect to the DNS server or to the Configuration Storage Server (in Enterprise Edition.)

IsaBPA Features

The ISA Server Best Practices Analyzer has several cool features. The tool has a live update mechanism. It allows the administrator to check whether there are new updates for the tool and download them. You can set this tool to check for live updates every time the tool starts. In addition, if you are a command-line person, you can run this tool from the command-line or schedule a weekly scan.

Using IsaBPA

IsaBPA can be used in a number of ways. It can be used to proactively check the health of the ISA Server deployment, finding issues that may increase the stability of the system, improve security and improve performance. It can also be used to assist troubleshooting of a particular issue. In many cases, the use of IsaBPA can eliminate the need for calling Microsoft support.It is noteworthy that the tool is not invasive in any way. It does not change anything in the system. IsaBPA only informs you about probable issues and suggests ways to fix them.

First of all, we are looking into listing hundreds of ISA properties, so you may all view your ISA settings (even some settings that cannot be viewed via the MMC). Next we are thinking about adding new checks. We might add several OWA checks, for instance a check that examines the ports specified for listening and for bridging. We are also thinking about adding basic Configuration Storage Server checks, some RADIUS checks, and more. Finally, we are looking into bugs found in the last release.

1) ISABPA reports ISA installed on Virtual PC but Virtual Server 2005 R2 is installed
2) It is not possible to run ISAINFO in ISABPA. ISABPA creates the ISAINFO XML file but nothing is displayed in ISABPA. YOu have to run ISAINFO manually. I tested it with ISABPA 2.5.3439.50 and configuration file 4.0.3440.277 english and german ISA)
3) ISA reports missing certificates but there are two certificates in the computer certificate store.
4) The link to the ISA Security Hardening Guide is wrong. The correct path is: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx

The IsaBPA can run the ISAInfo. You can find the output at the IsaBPA install directory at %programfiles%\Microsoft IsaBPA. To view this file at its best, you can also download the ISAInfo xml parser, which is not included in the IsaBPA package.

The certificates that the IsaBPA are looking for should have a corresponding private key as well as being located at the computer certificate store.

The other issues are known and will be fixed for next version.

tshinder

16 Jan 2006 6:20 PM

Overall, I think the BPA at the point is more of a troubleshooting tool for those unquainted with the ISA firewall. But I have to say I didn't find much in terms of "best practices". Thanks! --Tom.

Patrice

17 Feb 2006 3:30 PM

I have installed and tested ISA BPA on my ISA Servers.

The following message 'This ISA Server computer is not hardened' has been displayed in the report.

What are the criteria used to say that the ISA Server is not hardened?
Can we have the exact details of the tests performed?

Patrice

Seth

2 Mar 2006 7:21 PM

I too have run the SCW and BPA tool and still get the message that this server is not hardened. Kind of frustrating when the link it points to for hardening basically says to use the SCW if you have 2k3 SP1 and then not much else otherwise.